Putting It All Together
Figure 5-4 depicts a simple CBAC scenario for protecting a web server in the internal network. CBAC inspection
can be applied on internal or external interfaces. Access list 101 shows that HTTP traffic that originates from an
external network that is external to the web server is permitted. All other traffic is explicitly denied. Traffic
originating from the internal network (protected zone) will pass through. Maintaining session table and a
corresponding dynamic ACL entry will be punched in ACL 101 to allow all returning traffic.
Figure 5-4. Putting It All Together
[View full size image]
IOS Firewall Advanced Features
Several new enhancements and advanced capabilities have been added in the IOS Firewall feature set in IOS Software 12.3T
and 12.4 mainline versions. The following section highlights some of the commonly used advanced features.
HTTP Inspection Engine
The HTTP inspection engine in the IOS Firewall has been enhanced with the introduction of Advanced Application Inspection
and Control. For HTTP port 80 web traffic passing through the conventional firewalls, there is a possibility that non-HTTP
traffic can be embedded or tunneled in the HTTP traffic (for example, Instant Messaging (IM) or any malicious traffic),
thereby bypassing the firewall.
Pages:
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229